From 12e47663cdc3ac5e84012f523281b039c3417612 Mon Sep 17 00:00:00 2001
From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
Date: Sun, 5 Oct 2025 19:50:17 +0800
Subject: [PATCH] kernel: For `cmd_su`, bypass the
 `susfs_is_current_proc_umounted` check only for system processes.

---
 kernel/core_hook.c | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/kernel/core_hook.c b/kernel/core_hook.c
index 588ddb96..b40e77d4 100644
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -474,10 +474,24 @@ static inline void nuke_ext4_sysfs(void)
 
 static bool is_system_bin_su()
 {
+	if (!current->mm || current->in_execve) {
+		return 0;
+	}
+
 	// quick af check
 	return (current->mm->exe_file && !strcmp(current->mm->exe_file->f_path.dentry->d_name.name, "su"));
 }
 
+static bool is_system_uid(void)
+{
+	if (!current->mm || current->in_execve) {
+		return 0;
+	}
+	
+	uid_t caller_uid = current_uid().val;
+	return caller_uid <= 2000;
+}
+
 static void init_uid_scanner(void)
 {
 	ksu_uid_init();
@@ -498,8 +512,14 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 #ifdef CONFIG_KSU_SUSFS
 	// - We straight up check if process is supposed to be umounted, return 0 if so
 	// - This is to prevent side channel attack as much as possible
-	if (likely(susfs_is_current_proc_umounted())) {
-		return 0;
+	bool is_manual_su_cmd = (arg2 == CMD_SU_ESCALATION_REQUEST ||
+	                         arg2 == CMD_ADD_PENDING_ROOT);
+	if (is_manual_su_cmd) {
+		if (!is_system_uid())
+			return -EPERM;
+	} else {
+		if (likely(susfs_is_current_proc_umounted()))
+			return 0;
 	}
 #endif
 
@@ -522,9 +542,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	bool from_root = 0 == current_uid().val;
 	bool from_manager = is_manager();
 
-	if (!current->mm || current->in_execve) {
-		return 0;
-	}
 #ifdef CONFIG_KSU_MANUAL_SU
 	if (arg2 == CMD_SU_ESCALATION_REQUEST) {
 		uid_t target_uid = (uid_t)arg3;